NIST tool analyzes security

[InfoSec News <isn () C4I ORG>]

http://www.fcw.com/fcw/articles/2001/0312/web-nist-03-14-01.asp

BY Diane Frank
03/14/2001

The National Institute of Standards and Technology released draft
guidance last week for agencies that are attempting to perform
self-assessments of their information security programs.

The draft Self-Assessment Guide for Information Technology Systems is
a questionnaire that builds upon the Federal IT Security Assessment
Framework, which was developed by NIST and issued by the Chief
Information Officers Council in November 2000.

To comply with the new Government Information Security Reform Act, the
Office of Management and Budget directed agencies to use the framework
as one of many tools to use when managing security policies. The
framework helps agencies measure their security programs status
against five levels.

The draft guidance provides specifics on how to go about performing
those measurements and is intended to give agencies specific steps to
improve their programs.

The questionnaire itself, which covers 17 control areas within a
complete security program, is designed to provide results that will
enable agencies to determine where a systems security program needs
improvement. Agency officials would scan marked columns in the
questionnaire to analyze the specific controls that need to be
documented, implemented, tested and integrated into the life cycle of
a system.

Questions are in areas of management controls, operational controls
and technical controls, and delve deeper with more than 200 specific
questions. Once agency officials complete the questionnaire, it
provides guidance on how to analyze and use the results.

Comments on the draft are due back to Marianne Swanson at NIST by
April 9 at marianne.swanson () nist gov.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".